The structure of SAP is such that the privilege to create a user and to allocate the role/activity to perform any function is given through a single transaction code.
The inability to allocate roles and create users or resetting their passwords through two different channels (transaction codes) is a structural weakness within SAP which can only be addressed by the technical people of SAP AG.
An ideal segregation would require these complementary functions to be performed by two different users. That is, the person who has the ability to create a user should not be allowed to assign the roles at the same time. Moreover, the fact that the structure of SAP enables any user to individually assign the roles without any other users interference does increase a inherent risk in SAP.
Moreover, based on the ideal security level the ability to allocate roles/transaction codes in SAP should not be such that it is executable by a user individually on his own.
A person who has SU01 or PFCG is, in reality, a super user. Can you suggest how to reduce the ability of the super user and especially the ability to individually assign roles to anyone, along with himself?
Security and Data Protection with SAP Systems, published by SAP-PRESS in 2001, has an interesting chapter on distribution of roles and authorization maintenance. Unfortunately, the authors limit themselves to the an explanation of the concept. The technical implementation is not discussed. The chapter more or less discusses the issue you are describing and a possible solution.
Dig Deeper on SAP Basis
Related Q&A from Bert Vanstechelman
An SAP user wants to know the risks of changing time zones in ECC 6.0. Continue Reading
An SAP user wants to know how to access an SAP IDES 4.7 system via the Internet through SAP GUI. Continue Reading
A SearchSAP.com reader wants to know how an increase of indexes and tables after upgrade to SAP ECC 6.0 will affect the memory requirements of a DB2 ... Continue Reading